heaptherapy efficient handling of almost all heap
play

HeapTherapy+: Efficient Handling of (Almost) All Heap - PowerPoint PPT Presentation

Apr 25, 2023 •352 likes •661 views

HeapTherapy+: Efficient Handling of (Almost) All Heap Vulnerabilities Using Targeted Calling-Context Encoding Qiang Zeng , Golam Kayas, Emil Mohammed, Lannan Luo, Xiaojiang Du, and Junghwan Rhee DSN 2019 2 Trend of Memory Vulnerability

  1. HeapTherapy+: Efficient Handling of (Almost) All Heap Vulnerabilities Using Targeted Calling-Context Encoding Qiang Zeng , Golam Kayas, Emil Mohammed, Lannan Luo, Xiaojiang Du, and Junghwan Rhee DSN 2019

  2. 2 Trend of Memory Vulnerability Exploitation • Memory vulnerability exploitation • Stack-based • Heap-based • Many effective protection for call stacks • Stack canaries • Reordering local variables • Safe SEH (Structured Exception Handling) • Heap vulnerability exploitation becomes the trend • Heartbleed : heap buffer overread • WannaCry : heap buffer overwrite • Popular ROP (return oriented programming) attack [1] : Heap overflow => overwrite a function pointer => stack pivoting [1] McAfee, “Emerging ‘Stack Pivoting’ Exploits Bypass Common Security”, 2013

  3. 3 “Because the success of stack-based exploits has been reduced by the numerous security measures, heap-based attacks are now common” [Ratanaworabhan 2009] [Ratanaworabhan 2009] Ratanaworabhan, et al.."NOZZLE: A Defense Against Heap-spraying Code Injection Attacks." USENIX Security . 2009.

  4. 4 Types of Heap Vulnerabilities • Uninitialized read str = (char*) malloc(128); … // str is not initialized • Information leakage; … cout << str;

  5. 5 Types of Heap Vulnerabilities • Uninitialized read (1) D *p = new D(); … • Information leakage; … (2) delete p; • Use-after-free // buffer re-allocated and used (3) … (4) p->foo(); // use-after-free • Control-flow hijacking; … Virtual function this p table foo() bar() “More than 50% of known attacks targeting Windows 7 exploit use-after-free” [Zhang 2016] malicious virtual function table [Zhang 2016] Zhang, Chao, et al. "VTrust: Regaining Trust on Virtual Calls." NDSS . 2016.

  6. 6 Types of Heap Vulnerabilities • Uninitialized read • Information leakage; … • Use-after-free • Control-flow hijacking; … • Buffer overflow Ø Over-write • Manipulating data; control-flow hijacking; … Ø Over-read • Information leakage; …

  7. 7 Existing Measures • Checking every buffer access is great … but expensive • SoftBound (handle overflow and use-after-free): 67% • AddressSanitizer (handle overflow and use-after-free): 73% • MemorySanitizer (handle uninitialized read): 2.5x • SFI (software fault isolation), CFI (control-flow integrity), XFI, CPI (code pointer integrity), … • Challenges when working with existing shared libs (legacy code) • Some (like XFI) are still very expensive • Our previous work • Cruiser [PLDI’11], Kruiser [NDSS’12]: only handle overwrite • HeapTherapy [DSN’15]: only handle overwrite and overread

  8. 8 A Patching Perspective • Patching is an indispensable step throughout the life of a software system; however, • 153 days on average for delivering a patch [1] • Only 65% of vulnerabilities have patches available [2] • Fresh patches break systems frequently • Our goals • Handle heap overflow, uninitialized read, and use-after-free • Generate patches instantly with zero manual diagnosis efforts • Install patches without altering code, i.e., code-less patching • A very small overhead [1] S. Frei, “The Known Unknowns,” 2013. [2] S. frei, “” “End-point security failures, insight gained from secunia psi scans,” 2011.

  9. 9 Hypotheses Given a heap buffer overflow bug, the vulnerable buffers share the same calling context when they are allocated More generally, for a use-after-free or uninitialized-read vulnerability, the vulnerable buffers share the same calling context when they are allocated

  10. 10 → Verifying Hypotheses clone Given this vulnerability, many different exploits were collected and replayed start_thread handle_one_connection do_handle_one_connection thd_prepare_connection do_command MDL_key::mdl_key_init my_malloc malloc stpcpy Pathogen buffers are allocated. Vulnerable buffers are allocated Pathogen buffers are overflowed. Vulnerable buffers are exploited

  11. 11 Main Approach Using allocation-time calling context to characterize vulnerable buffers 1. When replaying the attack, record the allocation-time calling context of each buffer. When the offending operation (e.g., overflow) is detected, output the allocation-time calling context of the vulnerable buffer 2. During runtime, if a buffer being allocated has that allocation-time calling context, enhance it

  12. 12 Challenges • How to retrieve and compare calling contexts efficiently? • Retrieving calling context via stack walking is too expensive • ASLR makes the collected RAs useless • How to bridge offline attack analysis and online defense generation? • How to achieve code-less patching? • How to handle the diverse vulnerabilities in a uniform way?

  13. 13 • Targeted Calling Context Encoding • Offline Attack Analysis and Patch Generation • Online Defense Generation

  14. 14 Calling Context Encoding • Using an integer (or very few integers) to encode the calling context The integer is updated at each function call and return ; using • simple arithmetic operations • <3% slowdown; concise representation • Wide applications: testing coverage, anomaly detection, compilation optimization, logging, … PCC PCCE DeltaPath [Bond 2007] [Sumner 2010 ] [Zeng 2014] Support Object-Oriented ✔ ✗ ✔ Decoding ✗ ✔ ✔ Scalability ✗ ✗ ✔

  15. 15 Example: PCC • Goal: each unique ID represents a unique calling context ID = 0 t = ID 1 B() { 2 C(); ID = t * 3 + 2 B 3 D(); 4 } ID = t * 3 + 3 5 C 6 C() { t = ID ID = 2 7 D(); D 8 } ID = t * 3 + 7 9 ID = 3 ID = 13 10 D() { 11 Sensitive API! // calling context? 12 } Answer: Read the variable “ID” to get the calling context ID

  16. 16 Targeted Calling Context Encoding • A set of ideas that can minimize the encoding overhead • Key insight : When the target functions , whose calling contexts are of interest, are known, many call sites do no need to be instrumented • E.g., some functions never appear in the calling contexts that lead to the target functions • Target functions in our work: • malloc, calloc, realloc, memalign, aligned_alloc

  17. 17 (a) FCS (full-call-site instrumentation): original PCC encoding (b) TCS (targeted-call-site): H and I cannot reach the targets T1 and T2 (c) Slim: B , E and G each has only one out-going edge that reaches the targets (d) Incremental: F-T 1 and F-G-T 2 can be distinguished through the target

  18. 18 Encoding overhead • Implementation: added an LLVM pass for instrumentation • Evaluation: SPEC CPU2006 Integer • Size overhead • PCC: 12% • Targeted Calling context Encoding: 4.4% • 2.7x of improvement • Speed overhead • PCC: 2.4% • Targeted Calling Context Encoding: 0.4% • 6x of speed up

  19. 19 • Targeted Calling Context Encoding • Offline Attack Analysis and Patch Generation • Online Defense Generation

  20. 20 One-time program Patch generation instrumentation Program Attack inputs Program Instrumentation Tool Instrumented Offline Patch Generator program Patches Patched program execution Online Defense Configuration file Generator

  21. 21 Application Byte 1 Byte 2 Byte 2 ………… .. Byte n Memory … Shadow Shadow Shadow Shadow Shadow ………… .. Memory Information Information Information Information 1 0 A bit A bit V bits 1 1 1 1 1 1 1 1 V bits 0 0 0 0 0 0 0 0 • Accessibility-bit (A-bit): whether the byte can be accessed • If a buffer has been free-ed, all its A-bits are 0 … … … • Each buffer is surrounded by two red zones (16B each), whose A-bits are 0 • Validity-bit (V-bit): whether the bit is initialized • When a fresh buffer is malloc-ed, all it V-bits are 0 • Each buffer’s alloc-API and CCID are recorded (1) Detect overflow: an overflow will touch the inaccessible red zone (2) Detect use-after-free: a free-ed buffer is set as inaccessible and then added to a queue to delay the space reuse (3) Detect uninitialized read: more complex, but mainly relies on V-bits

  22. 22 Patches as a configuration file • Each patch is simply a tuple <alloc-API, CCID, vul-type> • Code-less patching: to “install” a patch, just add one line in the config file Configuration file <API, CCID, Vulnerability> ………… <memalign, 1854955292, OVERFLOW> <calloc, 8643565443, USE-AFTER-FREE> <malloc, 2598251483, UNINITIALIZED-READ> … ... ………… Read by Online … … …

  23. 23 • Targeted Calling Context Encoding • Offline Attack Analysis and Patch Generation • Online Defense Generation

  24. 24 Patches read into a hash table Configuration file <API, CCID, Vulnerability> ………… <memalign, 1854955292, OVERFLOW> <calloc, 8643565443, USE-AFTER-FREE> <malloc, 2598251483, UNINITIALIZED-READ> … ... ………… Read by Online Defense Generator Hash table Key Value A shared lib <MEMALIGN, 1854955292> (001) 2 <CALLOC, 8643565443> (010) 2 <MALLOC, 2598251483> (100) 2 … .. … …

  25. 25 Vulnerability Handling • Handle overflow • Append a guard page to each vulnerable buffer • Handle use-after-free • Delay the deallocation of the free-ed vulnerable buffers • Handle uninitialized read • Initialize the newly allocated vulnerable buffer with zeros

  26. 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
ad -heap: an Efficient Heap Data Structure for Asymmetric Multicore Processors Weifeng Liu and

ad -heap: an Efficient Heap Data Structure for Asymmetric Multicore Processors Weifeng Liu and

ad -heap: an Efficient Heap Data Structure for Asymmetric Multicore Processors Weifeng Liu and Brian Vinter Niels Bohr Institute University of Copenhagen Denmark { weifeng, vinter } @nbi.dk March 1, 2014 Weifeng Liu and Brian Vinter (NBI) ad

711 views • 52 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
CSCI261 Lecture 27: Events, Interrupts &amp; Event Handling Memory, Stack, Stack Frames, The Heap

CSCI261 Lecture 27: Events, Interrupts &amp; Event Handling Memory, Stack, Stack Frames, The Heap

CSCI261 Lecture 27: Events, Interrupts &amp; Event Handling Memory, Stack, Stack Frames, The Heap Attribution: http://123rf.com keypress Keyboard Interface (Serial USB) Bus CPU Operating System Application keypress Keyboard Interface

357 views • 25 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math &amp; CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian

Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian

Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian Tan, Yue Li and Jingling Xue PLDI 2017 June, 2017 1 A New Points-to Analysis T echnique for Object-Oriented Programs 2 Points-to Analysis

800 views • 68 slides
Efficient Handling of Obligation Constraints in Synthesis from Omega-Regular Specifications Saqib

Efficient Handling of Obligation Constraints in Synthesis from Omega-Regular Specifications Saqib

Introduction: Synthesis from -regular properties The Challenges in improving Quality of Results R -Generable languages Experimental Results Conclusions Efficient Handling of Obligation Constraints in Synthesis from Omega-Regular

924 views • 74 slides
Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image Processing M. Akif zkan, Oliver Reiche, Frank Hannig, and Jrgen Teich Hardware/Software Co-Design, Friedrich-Alexander University Erlangen-Nrnberg

891 views • 65 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

906 views • 58 slides
Flexible and efficient site constraint handling for wind farm layout optimization Erik

Flexible and efficient site constraint handling for wind farm layout optimization Erik

Flexible and efficient site constraint handling for wind farm layout optimization Erik Quaeghebeur Wind Energy Group Delft University of Technology WESC 2019 20 June 2019 [4C Offshore: https://www.4coffshore.com/] [Netherlands Enterprise

904 views • 46 slides
In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word s.heap@uq.edu.au Stephen Heap s.heap@uq.edu.au Reading skill is based on three kinds of knowledge A fluent reader must have knowledge of: Language : word

480 views • 46 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Tutorial: Sparse Recovery Using Sparse Matrices Piotr Indyk MIT Problem Formulation

Tutorial: Sparse Recovery Using Sparse Matrices Piotr Indyk MIT Problem Formulation

Tutorial: Sparse Recovery Using Sparse Matrices Piotr Indyk MIT Problem Formulation (approximation theory, learning Fourier coeffs, linear sketching, finite rate of innovation, compressed sensing...) Setup: Data/signal in n-dimensional

418 views • 25 slides
Intro to Live S treaming Andy Beach Techgeist, Inc @ andybeach Types of Live S treams

Intro to Live S treaming Andy Beach Techgeist, Inc @ andybeach Types of Live S treams

Intro to Live S treaming Andy Beach Techgeist, Inc @ andybeach Types of Live S treams Webcast/ S creencast S ingle Camera (no switching) Multi-Camera (switcher) Live Linear Live S treaming Workflow Live S treaming

614 views • 22 slides
CNF encodings of DNNFs and BDMCs Petr Kuera 1 Petr Savick 2 1 Charles University, Czech

CNF encodings of DNNFs and BDMCs Petr Kuera 1 Petr Savick 2 1 Charles University, Czech

CNF encodings of DNNFs and BDMCs Petr Kuera 1 Petr Savick 2 1 Charles University, Czech Republic 2 Institute of Computer Science, The Czech Academy of Sciences, Czech Republic KOCOON Workshop, Arras December 1619, 2019 Petr Kuera, Petr

628 views • 33 slides
Combinatorial entropy and succinct data structures Gilles Schaeffer based in part on joined

Combinatorial entropy and succinct data structures Gilles Schaeffer based in part on joined

Combinatorial entropy and succinct data structures Gilles Schaeffer based in part on joined works with L. Castelli Aleardi, O. Devillers, E. Fusy and D. Poulalhon Analysis of Algorithms, 2009 Before we start... Geometric data ; meshes Among

1.1k views • 90 slides
A Tutorial on Techniques for Scalable Privacy-preserving Record Linkage Peter Christen 1 ,

A Tutorial on Techniques for Scalable Privacy-preserving Record Linkage Peter Christen 1 ,

A Tutorial on Techniques for Scalable Privacy-preserving Record Linkage Peter Christen 1 , Vassilios Verykios 2 , and Dinusha Vatsalan 1 1 Research School of Computer Science, ANU College of Engineering and Computer Science, The Australian

1.7k views • 101 slides
State%Assignment%(Encoding) p clock/input Moore,type state/outputs Storage Elements k

State%Assignment%(Encoding) p clock/input Moore,type state/outputs Storage Elements k

State%Assignment%(Encoding) p clock/input Moore,type state/outputs Storage Elements k present/state excitation/ values j values Comb. m n Logic Mealy, or/ inputs Moore,type Outputs

366 views • 12 slides
Neural Encoding with Structured Decoding Pushpendre Rastogi 3 rd year CS Phd. Student

Neural Encoding with Structured Decoding Pushpendre Rastogi 3 rd year CS Phd. Student

Neural Encoding with Structured Decoding Pushpendre Rastogi 3 rd year CS Phd. Student pushpendre@jhu.edu Johns Hopkins University CLSP Student Seminar, Spring 2016 Pushpendre Rastogi (CLSP, JHU) Representations . . . 1 / 18 Outline 1

625 views • 46 slides
Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori

Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori

Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori Rottenstreich*, Arpit Gupta*, Nick Feamster*, Jennifer Rexford* *Princeton University, ETH Zrich Motivation Incoming Flows Classifier

841 views • 82 slides

More recommend